polynomial-c 14/09/30 20:34:29 Added: bash-redir-stack-overflow.patch Log: Added an inofficial patch to finally fix CVE-2014-7186 and CVE-2014-7187 (bug #523742) (Portage version: 2.2.14_rc1/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
Revision Changes Path 1.1 app-shells/bash/files/bash-redir-stack-overflow.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-shells/bash/files/bash-redir-stack-overflow.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-shells/bash/files/bash-redir-stack-overflow.patch?rev=1.1&content-type=text/plain Index: bash-redir-stack-overflow.patch =================================================================== *** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400 --- parse.y 2014-09-25 19:16:40.000000000 -0400 *************** *** 169,172 **** --- 169,175 ---- static int reserved_word_acceptable __P((int)); static int yylex __P((void)); + + static void push_heredoc __P((REDIRECT *)); + static char *mk_alexpansion __P((char *)); static int alias_expand_token __P((char *)); static int time_command_acceptable __P((void)); *************** *** 266,270 **** /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ ! static REDIRECT *redir_stack[10]; int need_here_doc; --- 269,275 ---- /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ ! #define HEREDOC_MAX 16 ! ! static REDIRECT *redir_stack[HEREDOC_MAX]; int need_here_doc; *************** *** 308,312 **** index is decremented after a case, select, or for command is parsed. */ #define MAX_CASE_NEST 128 ! static int word_lineno[MAX_CASE_NEST]; static int word_top = -1; --- 313,317 ---- index is decremented after a case, select, or for command is parsed. */ #define MAX_CASE_NEST 128 ! static int word_lineno[MAX_CASE_NEST+1]; static int word_top = -1; *************** *** 521,525 **** redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); ! redir_stack[need_here_doc++] = $$; } | NUMBER LESS_LESS WORD --- 526,530 ---- redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); ! push_heredoc ($$); } | NUMBER LESS_LESS WORD *************** *** 528,532 **** redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); ! redir_stack[need_here_doc++] = $$; } | REDIR_WORD LESS_LESS WORD --- 533,537 ---- redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); ! push_heredoc ($$); } | REDIR_WORD LESS_LESS WORD *************** *** 535,539 **** redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); ! redir_stack[need_here_doc++] = $$; } | LESS_LESS_MINUS WORD --- 540,544 ---- redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); ! push_heredoc ($$); } | LESS_LESS_MINUS WORD *************** *** 542,546 **** redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); ! redir_stack[need_here_doc++] = $$; } | NUMBER LESS_LESS_MINUS WORD --- 547,551 ---- redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); ! push_heredoc ($$); } | NUMBER LESS_LESS_MINUS WORD *************** *** 549,553 **** redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); ! redir_stack[need_here_doc++] = $$; } | REDIR_WORD LESS_LESS_MINUS WORD --- 554,558 ---- redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); ! push_heredoc ($$); } | REDIR_WORD LESS_LESS_MINUS WORD *************** *** 556,560 **** redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); ! redir_stack[need_here_doc++] = $$; } | LESS_LESS_LESS WORD --- 561,565 ---- redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); ! push_heredoc ($$); } | LESS_LESS_LESS WORD *************** *** 2637,2640 **** --- 2642,2660 ---- static int esacs_needed_count; + static void + push_heredoc (r) + REDIRECT *r; + { + if (need_here_doc >= HEREDOC_MAX) + { + last_command_exit_value = EX_BADUSAGE; + need_here_doc = 0; + report_syntax_error (_("maximum here-document count exceeded")); + reset_parser (); + exit_shell (last_command_exit_value); + } + redir_stack[need_here_doc++] = r; + } + void gather_here_documents ()
